2097757 – yum update --security

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2097757 - yum update --security

Summary: yum update --security

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dnf
Sub Component:
Version:	8.6
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	amatej
QA Contact:	Eva Mrakova
Docs Contact:	Mariya Pershina
URL:
Whiteboard:
Depends On:
Blocks:	2101398
TreeView+	depends on / blocked

Reported:	2022-06-16 13:10 UTC by jcastran
Modified:	2022-11-08 12:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:	dnf-4.7.0-11.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2101398 (view as bug list)
Environment:
Last Closed:	2022-11-08 10:47:20 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-125465	0	None	None	None	2022-06-16 13:22:19 UTC
Red Hat Product Errata	RHBA-2022:7712	0	None	None	None	2022-11-08 10:47:35 UTC

Description jcastran 2022-06-16 13:10:28 UTC

Description of problem:
yum update --security is not applying security updates that are available

Version-Release number of selected component (if applicable):


Steps to Reproduce:
1. # mkdir /test/
2. # tar xf rpm_db.tar.bz2 -C /test/
3. # yum --installroot=/test/ update kexec-tools --security --assumeno
4. # yum --installroot=/test/ update --security --assumeno

Actual results:
 * yum updateinfo list sec   ###Shows errata as available
 * yum update --security     ###kexec-tools is not updated
 * yum update kexec-tools --security    ###Shows an update which means its security related


Expected results:
yum update --security should apply updates when applicable

Additional info:

Comment 1 amatej 2022-06-23 07:57:08 UTC

A quick solution would be to use the best option (which is the default).

But we are working on a general fix: https://github.com/rpm-software-management/dnf/pull/1832
And tests: https://github.com/rpm-software-management/ci-dnf-stack/pull/1130

Thank you for the report.

Comment 3 jcastran 2022-06-27 11:46:16 UTC

> A quick solution would be to use the best option (which is the default).

best is applied by default and does not make a difference.
- - - - - - - - - 
[root@r8 ~]# grep best /etc/yum.conf
best=True


[root@r8 ~]# tar xf rpmdb.tar.bz2 -C /test/


[root@r8 ~]# yum --installroot=/test/ updateinfo list sec | grep -iE kexec
RHSA-2021:4404 Low/Sec.       kexec-tools-2.0.20-57.el8.x86_64


[root@r8 ~]# yum --installroot=/test/ update --security --assumeno
==============================================================================================
 Package               Arch     Version              Repository                          Size
==============================================================================================
Upgrading:
 cups-libs             x86_64   1:2.2.6-45.el8_6.2   rhel-8-for-x86_64-baseos-rpms      435 k
 grub2-common          noarch   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      893 k
 grub2-pc              x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms       44 k
 grub2-pc-modules      noarch   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      920 k
 grub2-tools           x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      2.0 M
 grub2-tools-efi       x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      477 k
 grub2-tools-extra     x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      1.1 M
 grub2-tools-minimal   x86_64   1:2.02-123.el8_6.8   rhel-8-for-x86_64-baseos-rpms      211 k
 rsyslog               x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms   753 k
 rsyslog-gnutls        x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms    32 k
 rsyslog-gssapi        x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms    34 k
 rsyslog-relp          x86_64   8.2102.0-7.el8_6.1   rhel-8-for-x86_64-appstream-rpms    34 k
 xz                    x86_64   5.2.4-4.el8_6        rhel-8-for-x86_64-baseos-rpms      153 k
 xz-libs               x86_64   5.2.4-4.el8_6        rhel-8-for-x86_64-baseos-rpms       94 k

Transaction Summary
==============================================================================================
Upgrade  14 Packages

Total download size: 7.0 M
Operation aborted.



[root@r8 ~]# yum --installroot=/test/ update kexec-tools --security --assumeno
==============================================================================================
 Package               Arch    Version                   Repository                      Size
==============================================================================================
Upgrading:
 dracut                x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms  376 k
 dracut-config-rescue  x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms   61 k
 dracut-network        x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms  109 k
 dracut-squash         x86_64  049-201.git20220131.el8   rhel-8-for-x86_64-baseos-rpms   62 k
 kexec-tools           x86_64  2.0.20-68.el8             rhel-8-for-x86_64-baseos-rpms  523 k

Transaction Summary
==============================================================================================
Upgrade  5 Packages

Total download size: 1.1 M
Operation aborted.

Comment 5 amatej 2022-06-28 07:00:34 UTC

I think best does make a difference.

Can you try?
[root@r8 ~]# yum --installroot=/test/ update --security --assumeno --best

-----

> [root@r8 ~]# grep best /etc/yum.conf
> best=True
This shouldn't affect your run because this is the host's config but you are running with installroot and it prioritizes the installroot's config first (which doesn't have best specified).

The problem is that best is the default on RHEL in the sense that it is the default configuration specified in dnf.conf: best=True, but if it is removed (like in the customer's config) dnf's default without any config is False.

Comment 14 errata-xmlrpc 2022-11-08 10:47:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (dnf bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7712

Note You need to log in before you can comment on or make changes to this bug.